tags:

views:

412

answers:

3
Q: 

"A potentially dangerous Request.Form value.." error when ModelState.IsValid is false

In one of our ASP.NET MVC application we are using FCKEditor to allow users to enter rich text. In order to turn off the validation in the controller actions we set the attribute 

[ValidateInput(false)]

Users are able to save and modify the rich text as long as there are no business validation errors in the page.

If any of the business validations fail and the ModelState.IsValid is set to false, on rendering the page the following exception is raised. Can someone let me know how to solve this issue?

A potentially dangerous Request.Form value was detected from the client (Programme_Overview="

Here is the code

    [ValidateInput(false)]
    [AcceptVerbs(HttpVerbs.Post)]
    public ActionResult Schedule(FormCollection formValues)
    {
      // some code
      if (ModelState.IsValid)
        {
            //do something here...
        }
        else
        {               
            return View(programDetails);
        }


     }

    //// View code that render the fckeditor text area
    <%= Html.TextArea("Programme_Overview", Model.Programme.Overview, new { row = 7 })%>
A: 

It is likely some HTML output from your fuckeditor gets somehow submitted.

You can try to switch the validation off:

public MyController
{
    [ValidateInput (false)]
    public ActionResult MyAction ()
    {
    }
}
User  2009-07-14 07:36:21
A: 

Just add the following to your action:

[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult SomeAction() {}
Darin Dimitrov  2009-07-14 07:37:08
Even after specifying [ValidateInput(false)], the exception is raised if ModelState.IsValid is set to false while rendering the view
Gopinath  2009-07-14 07:48:53
Could you show us your action method and the html form?
Darin Dimitrov  2009-07-14 08:38:15
darin, i updated the question with code.
Gopinath  2009-07-14 11:50:23
A: 

I'm guessing this project was migrated from a pre-1.0 RTM project.

Original ASP.NET has page-level "dangerous input" validation that you're tripping up. We have turned it off system-wide with a change to the Web.config file in the Views folder, but I don't remember exactly when we made that change. If your project pre-dates this change, then you won't have that setting in your Web.config file in the Views folder.

So you can make a new MVC project and look at the Web.config file to see what setting(s) you might want to copy over. You can also disable this on a page-by-page basis if you want.

http://www.asp.net/learn/whitepapers/request-validation/

Brad Wilson  2009-07-15 12:59:09
Brad Wilson,I'm not sure what version of MVC we have. Can you please tell me how to find it on my PC?We installed MVC with the help of Web Installer 2 months ago. The web.config file located in the View folder has <pages validateRequest="false" pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
Gopinath  2009-07-16 09:55:55
You have 1.0 installed, and I see the validatedRequest="false" line is there, so I'm not clear why you should be hitting this error (unless you've added "validateRequest=true" to the <%@ Page %> directive in your actual page).
Brad Wilson  2009-07-16 21:48:09

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data